I installed it yesterday with --dirsrv-cert-file, --http-cert-file and --no-pkinit, then added certificate authority (ipa-ca-install) and enabled pkinit (ipa-pkinit-manage enable) On Fri, Mar 13, 2020 at 5:47 PM Peter Tselios via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org&gt; wrote:

You lose nothing with --no-pkinit because you add certificate authority and enable pkinit later. But seems it's a relatively new option, we installed our prod instance back in 2016 and it didn't ask for --no-pkinit at all. I found it yesterday. Our main instance is running with pkinit disabled and it do all we want for us. I started to play with pkinit just yesterday. [root@auth ~]# ipa-ca-install Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: reindex attributes ... [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Updating DNS system records [root@auth ~]# ipa-pkinit-manage status PKINIT is disabled The ipa-pkinit-manage command was successful [root@auth ~]# ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). [root@auth ~]# ipa-pkinit-manage status PKINIT is enabled The ipa-pkinit-manage command was successful On Fri, Mar 13, 2020 at 7:23 PM Peter Tselios via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org&gt; wrote:

Alexander, kinit -T doesn't work for me if 2FA enabled. Could you check my question "Kerberos and 2FA" from yesterday and help to debug it? On Fri, Mar 13, 2020 at 8:12 PM Alexander Bokovoy <abokovoy(a)redhat.com&gt; wrote:

On ma, 16 maalis 2020, Peter Tselios via FreeIPA-users wrote: That wiki page explains its use. We utilize anonymous PKINIT internally for Web UI password-based logins, aside from any other use that you might have for normal PKINIT. In general, PKINIT is a way to use smartcard (public key) authentication with Kerberos, where actual authentication is done before Kerberos KDC authenticates you (hence, it is a pre-authentication method in Kerberos). A client uses own certificate to mutually authenticate KDC pretty much like SSL/TLS authentication with client certificates happens. The result of the mutual authentication is then used to create a session key for Kerberos ticket granting ticket. Anonymous PKINIT is a special case where a client identity does not need to be proved. This corresponds to normal SSL/TLS use for HTTPS connections where your browser does not need to present own certificate but validates the server certificate. KDC then issues a ticket granting ticket for a special Kerberos principal that can only be used (realistically) to create a FAST channel wrapping. As result, one can use anonymous PKINIT ticket to encrypt an exchange to authenticate with 2FA in Kerberos. Both variants of PKINIT require KDC and Kerberos clients to have knowledge of public key infrastructure: KDC has to own a certificate it would be presenting to the clients and clients should present own certificates in case they are trying to prove possession of a particular Kerberos identity (non-anonymous). This is where certificates for PKINIT are required. They could be issued by different parties (not neccessary IPA CA) but there are quite a few requirements to their content, especially on KDC side. RFC 4556 defines PKINIT. It also defines special extended key usages (EKU) for the certificates used in PKINIT exchanges. These EKUs have to be present in the certificates. Practically, FreeIPA supports several mechanisms that allow one to avoid use of Kerberos-specific EKUs in client certificates but KDC certificates must still have them or include special Kerberos principal fields for IPA KDCs. Those fields are typically not added by external CAs, you have to handle that explicitly, so for internal use we also issue PKINIT KDC certs for non-integrated CA case. The caveat is that these certs are only trusted by IPA Web UI as they are issued by the local certmonger on IPA KDCs. But if integrated CA is used or external CA has provided correct PKINIT KDC certs, those are used instead. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

On 3/13/20 3:46 PM, Peter Tselios via FreeIPA-users wrote: Hi, As Leonid said, if you don't provide a certificate for PKinit, you need to add the option --no-pkinit. I agree that the doc is not properly explaining that, but it has been enhanced in RHEL8 doc set: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... You can open a documentation bug if you feel it should be fixed in RHEL7 doc set. flo